Add minimal GitHub Actions permissions and coverage upload workflow

Co-authored-by: maciej.jastrzebski <[email protected]>

Author: cursoragent

.github/workflows/ci.yml

@@ -5,6 +5,10 @@ on:
   pull_request:
     branches: ['**']
 
+# Set minimal permissions by default
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ !contains(github.ref, 'main')}}
@@ -13,6 +17,8 @@ jobs:
   install-cache-deps:
     runs-on: ubuntu-latest
     name: Install and Cache deps
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -24,6 +30,8 @@ jobs:
     needs: [install-cache-deps]
     runs-on: ubuntu-latest
     name: Lint
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -38,6 +46,8 @@ jobs:
     needs: [install-cache-deps]
     runs-on: ubuntu-latest
     name: Typecheck
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -52,6 +62,8 @@ jobs:
     needs: [install-cache-deps]
     runs-on: ubuntu-latest
     name: Test
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -62,6 +74,32 @@ jobs:
       - name: Test
         run: yarn test:ci:coverage
 
+      - name: Upload coverage reports
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: coverage-reports
+          path: coverage/
+          retention-days: 1
+
+  # Separate job for codecov upload that only runs on trusted events
+  upload-coverage:
+    needs: [test]
+    runs-on: ubuntu-latest
+    name: Upload Coverage
+    # Only run on push to main (trusted event) to avoid exposing secrets to forks
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Download coverage reports
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: coverage-reports
+          path: coverage/
+
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
         env:
@@ -71,6 +109,8 @@ jobs:
     needs: [install-cache-deps]
     runs-on: ubuntu-latest
     name: Test React 18
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/example-apps.yml

@@ -8,6 +8,10 @@ on:
     branches: ['**']
     paths: ['examples/**']
 
+# Set minimal permissions by default
+permissions:
+  contents: read
+
 jobs:
   test-example:
     strategy:
@@ -17,6 +21,8 @@ jobs:
     name: Test Example
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/website.yml

@@ -8,6 +8,10 @@ on:
     branches: ['**']
     paths: ['website/**']
 
+# Set minimal permissions by default
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ !contains(github.ref, 'main')}}
@@ -16,6 +20,8 @@ jobs:
   test:
     runs-on: ubuntu-latest
     name: Test Website
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -28,8 +34,13 @@ jobs:
 
   deploy:
     name: Deploy to GitHub Pages
+    # Only run on push to main (trusted event) - secrets are safe here
     if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2